Snort mailing list archives
Rif: VERY simple 'virtual' honeypot
From: Alberto Beretta <punkbere () tin it>
Date: Fri, 8 Mar 2002 17:05:00 CET
The tool LaBrea can detect scan against virtual IP address. I'm working in a project in which Labrea and Honeypot work together. LaBrea reply to packet generated for network scanning. The Idea is to modify LaBrea to allow a real connection to virtual addresses: this traffic is forwarded to a honeypot. So you can detect the scan and gain information about hacker's metodologies.
Da: Lance Spitzner <lance () honeynet org> Data: 08/03/2002 05:34 A: "Snort-Users \(E-mail\)" <snort-users () lists sourceforge net>, <honeypots () securityfocus com> Oggetto: VERY simple 'virtual' honeypot Most honeypots work on the same concept, a system that has no production activity. You deploy a box that has no production value, any packets going to that box indicate a probe, scan, or attack. This helps reduce both false positives and false negatives. Exampls of such honeypots include BackOfficer Friendly, DTK, ManTrap, Specter, and Honeynets. However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system. Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity. Thoughts? -- Lance Spitzner http://project.honeynet.org --------------------------------------------------------------------- To unsubscribe, e-mail: honeypots-unsubscribe () securityfocus com For additional commands, e-mail: honeypots-help () securityfocus com --------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities. Please, see: https://alerts.securityfocus.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rif: VERY simple 'virtual' honeypot Alberto Beretta (Mar 08)